Project-TANC:Complex multiplication

Inria / Raweb 2009
Presentation of the Project TANC

Section: Scientific Foundations

Complex multiplication

Genus 1

Despite the achievements described above, random curves are sometimes difficult to use, since their cardinality is not easy to compute or useful instances are too rare to occur (curves for pairings for instance). In some cases, curves with special properties can be used. For instance curves with complex multiplication (in brief CM), whose cardinalities are easy to compute. For example, the elliptic curve defined over GF(p) of equation y² = x³ + x has cardinality p + 1-2u , when p = u² + v² , and computing u is easy.

The CM theory for genus 1 is well known and dates back to the middle of the nineteenth century (Kronecker, Weber, etc.). Its algorithmic part is also well understood, and recently more work was done, largely by TANC . Twenty years ago, this theory was applied by Atkin to the primality proving of arbitrary integers, yielding the ECPP algorithm developed ever since by F. Morain. Though the decision problem isPrime? was shown to be in P (by the 2002 work of Agrawal, Kayal, Saxena), practical primality proving of large random numbers is still done only with ECPP.

These CM curves enabled A. Enge, R. Dupont and F. Morain to give an algorithm for building good curves that can be used in identity based cryptosystems [33] .

CM curves are defined by algebraic integers, whose minimal polynomials have to be computed exactly, the coefficients being exact integers. The fastest algorithm to perform these computations requires a floating point evaluation of the roots of the polynomial to a high precision. F. Morain on the one hand and A. Enge (together with R. Schertz) on the other, have developed the use of new class invariants that characterize CM curves. The union of these two families is currently the best that can be achieved in the field (see [7] ). Later, F. Morain and A. Enge have designed a fast method for the computation of the roots of this polynomial over a finite field using Galois theory [36] . These invariants, together with this new algorithm, are incorporated in the working version of the program ECPP.

F. Morain analyzed a fast variant of ECPP, called fastECPP, which led him to gain one order of magnitude in the complexity of the problem (see [12] [58] ), reaching heuristically $Im2 ${O({(logN)}^{4+\#1013 })}$$ , compared to $Im3 ${O({(logN)}^{5+\#1013 })}$$ for the basic version. By comparison, the best proven version of AKS [54] has complexity $Im4 ${O({(logN)}^{6+\#1013 })}$$ and has not been implemented so far; the best randomized version [25] reaches the same $Im2 ${O({(logN)}^{4+\#1013 })}$$ bound but suffers from memory problems and is not competitive yet. F. Morain implemented fastECPP and was able to prove the primality of 10, 000 decimal digit numbers [12] , as opposed to 5, 000 for the basic (historical) version. Continuously improving this algorithm, this led to new records in primality proving, some of which obtained with his co-authors J. Franke, T. Kleinjung and T. Wirth [38] who developed their own programs. F. Morain set the current world record to 20,562 decimal digits early June 2006, as opposed to 15,071 two years before. This record was made possible by using an updated MPI-based implementation of the algorithm and its distribution process on a cluster of 64-bit bi-processors (AMD Opteron(tm) Processor 250 at 2.39 GHz). In 2007, another large number was proven to be prime, namely (2⁴²⁷³⁷ + 1)/3 with 12, 865 decimal digits.

In his thesis, R. Dupont has investigated the complexity of the evaluation of some modular functions and forms (such as the elliptic modular function j or the Dedekind eta function for example). High precision evaluation of such functions is at the core of algorithms to compute class polynomials (used in complex multiplication) or modular polynomials (used in the SEA elliptic curve point counting algorithm).

Exploiting the deep connection between the arithmetic-geometric mean (AGM) and a special kind of modular forms known as theta constants, he devised an algorithm based on Newton iterations and the AGM that has quasi-optimal linear complexity. In order to certify the correctness of the result to a specified precision, a fine analysis of the algorithm and its complexity was necessary [14] .

Using similar techniques, he has given a proven algorithm for the evaluation of the logarithm of complex numbers with quasi-optimal time complexity.

Genus 2

The theory of Complex Multiplication also exists for non-elliptic curves, but is more intricate, and only recently can we dream to use them. Some of the recent results occurred as the work of R. Dupont (former member of TANC) in his thesis.

R. Dupont has worked on adapting his algorithm to genus 2, which induces great theoretical and technical difficulties. He has studied a generalization of the AGM known as Borchardt sequences, has proven the convergence of these sequences in a general setting, and has determined the set of limits such sequences have in genus 2. He has then developed an algorithm for the fast evaluation of theta constants in genus 2, and as a byproduct obtains an algorithm to compute the Riemann matrix of a given hyperelliptic curve: given the equation of such a curve, it computes a lattice L such that the Jacobian of the curve is isomorphic to $Im5 ${\#8450 /L}$$ . These algorithms are both quasi-linear, and have been implemented (in C , using the multiprecision package GMP – see http://gmplib.org/ ).

Using these implementations, R. Dupont has began computing modular polynomials for groups of the form $\upper_gamma$ ₀(p) in genus 2 (these polynomials link the genus 2 j -invariants of p -isogenous curves). He computed the modular polynomials for p = 2 , which had never been done before, and did some partial computations for p = 3 (results are available at http://www.lix.polytechnique.fr/Labo/Regis.Dupont ).

He also studied more theoretically the main ingredient used in his algorithms in genus 2, a procedure known as Borchardt sequences. In particular, he proved a theorem that parametrizes the set of all possible limits of Borchardt sequences starting with a fixed 4-tuple.

Logo Inria